Books

Security Hats: Black Hats or White Hats, There's No Grayscale

The media and the public remain star struck over crackers. Adrian Lamo pleas guilty to felony charges, breaking into New York Times computers, but he and fellow crackers are heroes, and the FBI, goats.

Prior to the plea, reporters slammed the Feds for bungling media subpoenas, based on the comments of a Justice official who remains anonymous.

Daniel Baas, the Acxiom hacker, is busted, but according to one reporter, "was only caught because he helped out a friend in the hacker community," implying he'd never have been caught by those knuckle-dragging, fumbling Feds.

Public fascination with cracking is tainting even professional security conferences. At InfoSec World, the "International leader in audit and information security training" will present, as a keynote event, an uncensored interview with controversial hacker (and convicted felon), Kevin Mitnick.

The bio in the advanced program bio is a masterpiece of spin: "expert in exposing vulnerabilities of complex operating systems and telecom devices" is cleverly substituted for, "criminal who plead guilty to four counts of wire fraud, two counts of computer fraud and one count of illegally intercepting a wire communication". Cloning phones, social engineering, stealing software, and compromising computers is described as "technical and non-technical means to obtain the source code to operating systems and telecom devices", a euphemism one might expect in Scott Adams' Dilbert series, alongside "involuntary separation from payroll".

Keeping Score

Whether the verdicts are popular or lamentable is irrelevant: the official score in these cases is Feds 3, crackers, 0. There are of course, losses in the FBI's record, but the game stats associated with their wins are really sobering. Lamo awaits sentencing and faces a between six and twelve months in prison. Baas faces the minimum 46 months served by Mitnick, perhaps more. In both cases pending, there's also the matter of compensatory damages (Mitnick's obliged to make restitution as part of his plea agreement).

Not Exactly

Somewhere along the timeline of hacking and cracking, someone, possibly the L0pht, substituted a gray scale palette for classic black and white. The gray hat became the ambiguous icon of hacktivism, the sometimes questionable practice of non-malicious probing of computers and networks for vulnerabilitiesm for entertainment, occasional fame, or notoriety.

Gray-hat hacktivists claim they are "doing good" because they disclose vulnerabilities that might otherwise be exploited by (ahem) persons of lesser integrity, that they are independent researchers who occasionally make political statements; and that they don't harm anything or anyone.

What gray hats fail to appreciate is that they don't own the definition of harmless.

Suppose a gray hat discloses he accessed a medical database, but claims he didn't actually study or copy it. Perhaps he did A Good Thing by notifying the medical practice, but patients of that practice will not consider the act "harmless". What is fact here is obvious: the same individual would not have been employed to perform this penetration test; in doing so on his own, he broke the law, perhaps several; and he expects attention rather than detention, so he hides behind a wooly moniker.

Gray hats are also insensitive to the emotional damage a victim associates with an attack. If someone were to break into your home, you would feel violated, uncertain of what transpired, what personal items were touched, abused, or stolen. Everything would seem creepy and tainted. You might even move. The emotions are no different with computer break-ins. What did the attacker see, take,... leave?

Gray scale obscures true color

Gray hat motivations are ambiguous at best, and this calls character into question. Suppose someone were to appear at your front door one morning and inform you that he broke into your bedroom the night prior. He shows you how he bypassed the alarm, and compromised the lockset, and shows you a letter he left in your dresser to corroborate his claim. How warmly would you receive this interloper? What cause would you have to believe he revealed everything he did, or saw? Given his behavior, how could you trust him?

Five Reasons to Avoid Hiring Crackers, (convicted or admitted):

1. Breaking doesn't imply building.

It's not a given that a cracker has competency in any security discipline but penetration testing. Crackers may be good at compromising computers, but they may not be capable of designing complex, multi-tiered, multi-organizational security systems.

2. No assurance of full disclosure.

Are you prepared to trust that a former gray- or black hat will reveal everything discovered during a penetration test? Consider the possibility that he'll withhold or copy sensitive information and use it for personal gain.

3. Is the cracker "out of the business"?

What assurances do you have that the cracker you hire or employ isn't still probing systems without authorization? Could your company be complicit in a criminal act?

4.Who else is affected by your hiring decision?

Your decision to employ crackers may not be acceptable to business partners, insurers, shareholders, and regulators. If your business partner has a strict policy regarding the employment of convicted computer felons, how will that company react to your decision?

5. Plays well with others?

Crackers are notorious loners. Many have quick tempers and lack social and team skills. Evaluate a cracker using the same hiring criteria you apply to any other job description.

The problem with shades of gray is that color distinctions can be conveniently blurred. You can't have gray when you evaluate hacking in an ethical context: only black hats benefit from being perceived as gray. A recent CNET news column claims that "most security specialists classify hackers as white hats or black hats, but in reality, most hackers fall somewhere in between".

I contend this claim is entirely false. As my colleague and respected security expert, Marcus Ranum, points out, "the mere existence of a $13 billion/year security industry is a fairly strong statement about how mature enterprises feel regarding hackers. That the FORTUNE 500 spent billions last year to keep hackers out should tell the hackers, and the media, that their "curiosity" is neither harmless nor welcome."

Morally, and increasingly, legally, you either wear white, or you wear black.